File-type components and hashes

[jkowalleck]

currently, SBOM "components" are detected based an a package.json file.
thats cool for most situatons.

but what if there is just no package.json? or it is untrusted for reasons?

Let's add file-based (sub-)components, that have a proper hash to them.
-> the feature is disabled by default, can be enabled by a new config option. name to be defined.

expected outcome:

• components that represent "packages" have sub-components, one for each file that us used.
  • each of the file-based sub-components has a computed set of hashes on them.
  • each of the file-based sub-components name is the relative path of the file. relative to the root component.
• if no package.json can be found (other than the projects own one), then the file used by webpack should be resulting in a SBOM component of type "file",
  • each of the file-based components has a computed set of hashes on them.
  • each of the file-based components name is the relative path of the file. relative to the root component.

May need an extra property taxonomy cdx:webpack according to https://github.com/CycloneDX/cyclonedx-property-taxonomy